Web bugs and legal ethics are in the news this week. Navy lawyers prosecuting the high-profile court martials two former SEALS allegedly inserted email tracking software into emails sent to the defense team and media outlets. The Military Times, the ABA Journal, the Guardian, and the Associated Press covered the story.

First, what’s a web bug? For the purposes of this post, a web bug is email tracking software.

Ok, so why is that important? Read the articles on the Navy cases. The ABA Journal headline sums it up: “Defense lawyers accuse military prosecutor of sending them emails with tracking software.”

More specifically, imagine yourself representing one of the accused. Now, further imagine yourself receiving an email from the prosecutor. An email that includes the type of tracking software at issue in the ISBA advisory opinion. Per the ISBA:

“The present inquiry involves the use of email ‘tracking’ software, applications that
permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments. The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment.”

A few thoughts.

To date, nearly everyone agrees that it’s a violation of the Rules of Professional Conduct to insert web bugs into emails sent to an opposing party or counsel.

The SEAL story raises a perfect example of tech competence. Earlier this month, one of the lead defense attorneys received an email from the prosecutor. Unlike prior emails from the prosecutor, it contained an unusual logo below the prosecutor’s signature. The logo was of a bald eagle and American flag perched on the scales of justice. The image aroused the attorney’s suspicions. So much so that he wrote to the prosecutor:

“I am writing regarding your emails from yesterday, which contained an embedded image that was not contained in any of your previous emails. At the risk of sounding paranoid, this image is not an attachment, but rather a link to an unsecured server which, if downloaded, can be used to track emails, including forwards. I would hope that you aren’t looking to track emails of defense counsel, so I wanted to make sure there wasn’t a security breach on your end. Given the leaks in this case, I am sure you can understand.”

Well, here we are. Sometimes they are out to get you.

Finally, I want to reiterate a point I made when I first blogged about the Illinois advisory opinion.

I do not disagree with any of the four opinions that have concluded that a lawyer’s surreptitious intrusion into a privileged relationship violates the rules. However, I differ with one aspect of the Illinois opinion.

The ISBA noted that “there do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.” As I stated then, I am not certain that I agree. Indeed, shortly after I posted my blog, several tech vendors who follow me on social media either commented on the post or reached out to me privately. Without exception, they agreed that there are a host of reasonably available countermeasures for law firms to employ against web bugs.

Moreover, I think it’s risky for a lawyer to rely on the old “well, they shouldn’t be unethically spying on me.”

I agree, nobody should be spying on you. And, when it comes to web bugs and email traacking software, the spies might always remain one step ahead.

But that does not relieve you of the duty to stay abreast of developments in technology and to take reasonable precautions against the unauthorized access to or inadvertent disclosure of information related to the representation of a client.

My job includes educating lawyers as to the duties imposed by the Rules of Professional Conduct. With respect to client information, the duty is to take reasonable precautions to protect against inadvertent disclosure or unauthorized access.

Lawyers often push back. I’m asked:

if I encrypt email and data, I’m good, right?

if I use ABC Cloud Storage company, I’m good, right?

XYZ Cloud Storage company is risky, right?

I will not answer “yes” or “no.”

For instance, what encryption tool do you use? Does your cloud storage vendor encrypt data in transmission, at rest, or both?

Further, I will not bless, endorse, or disapprove of companies, vendors, or products. Maybe when I leave this job and go work for one of the legal tech companies. For now, however, that is not my role.

I understand your frustration. But, I explained myself in this post when I wrote:

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaluating a lawyer’s duty with every new technology. Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

A lawyer’s duty to take reasonable precautions to protect client information does not change with technology. Today’s duty is the same that would exist if we lived in Westeros and communicated with clients by raven. As I blogged here:

No, the question should not be “is this new way of storing information ethical?” Nor should it be “is it okay to use smoke signals to communicate with my client?” Rather, whenever the next big thing comes along, the question should be “does this means of transmitting and storing client information provide reasonable precautions and safeguards against unauthorized access and disclosure.”

“What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

The ABA went on:

“Therefore, in an environment of increasing cyber threats, the Committee concludesthat, adopting the language in the ABA Cybersecurity Handbook, the reasonable effortsstandard:

. . . rejects requirements for specific security measures (such as firewalls,passwords, and the like) and instead adopts a fact-specific approach to businesssecurity obligations that requires a ‘process’ to assess risks, identify and implementappropriate security measures responsive to those risks, verify that they areeffectively implemented, and ensure that they are continually updated in responseto new developments.”

Again, when transmitting, communicating, and storing client information and data, a lawyer has a duty to take reasonable precautions against inadvertent disclosure or unauthorized access.

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud. I started by saying that I hoped it was my final seminar on the topic. I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent. See, Rule 1.6. A lawyer also has a duty to keep client property safe. See, Rule 1.15.

I view the cloud as the latest in a long line of different places to store information. In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16]. When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. Rule 1.6, Comment [17].

So, think about cloud storage like this: client information is electronically transmitted to a place where it will be kept. Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06. Here’s the digest of the opinion:

“Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

The question I hear most often is this: “what are reasonable precautions?” In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

who do you let into this facility?

do you require a passcode or badge for the gate?

are there locks on the individual units?

who besides me has a key or knows the combination?

can i get into my unit whenever i want to?

what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion. The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi. He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

Is it a solid company with a good reputation and record?

Can you get access to your data whenever you want, without restrictions?

If your service is terminated – by you or by the company – can you retrieve your data?

Does it allow use of advanced password protocols and two-step verification?

What are its internal policies regarding employee and third-party access to your data?

Is your data encrypted both while in transit and while at rest on the company’s servers?

How is your data backed up?

What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough. You need to understand the answers or find someone who does. For example, imagine this:

You: Will my data be encrypted in transmission and at rest?

Vendor: Yes. In transmission, we use a BTTF Flux Capacitor. At rest, we use the latest cloaking technology from Romii.

You. Sounds awesome. Sign me up.

Umm, no. You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions. This entry includes links that will help you determine what “reasonable precautions” are. Don’t fear the cloud but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

This year, the Vermont Judiciary will start the rollout of its Odyssey Case Management System (“CMS”).

In January, Judge Kate Hayes, Andy Stone (the Judiciary’s CMS Project Director) and me presented a CLE on the new system. Our CLE opened the Vermont Bar Association’s YLD Thaw. The VBA has graciously made the material available here. Judge Hayes & Andy addressed practical issues, while I touched on ethics issues associated with e-filing.

This will sound odd coming from a blogger who built this blog on the mantra “competence includes tech competence.” But, with respect to the ethics issues associated with the new CMS, my message is this:

Don’t get too caught up in the tech aspect of it. The fact is, your duties will be no different than in a paper-based system. That is, the duty to provide clients with competent representation will include understanding what the rules of electronic filing require.

On that note, I have good news.

E-filing isn’t new. It was introduced in the state courts in 2010. In addition, many of you practice in the federal District Court and Bankruptcy Court. E-filing is a thing in each. In all my time here, I’ve received fewer than 3 complaints alleging that a lawyer’s lack of tech proficiency negatively impacted a client’s matter.

The Vermont Judiciary has adopted rules for electronic filing. As I understand it, a committee is looking at prposed changes to the rules. If and when those changes are made, they will be available on the Judiciary’s website.

The CMS rollout will progress in stages. That is, the Judicial Bureau, the Environmental Unit, the Supreme Court, and the various units (counties) will come online over time. As courts in which you appear transitionto CMS, you should familiarize yourself with the rules for electronic filing.

Fear not. Remember: fewer than 3 complaints.

Also, when it comes to technology, it’s usually not “tech” that gets a lawyer in trouble. It’s using tech to do something that would’ve been unethical if done without tech.

(The same post includes a digest of cases & opinions in which lawyers were sanctioned for disclosing client confidences in response to negative online reviews. Remember, it’s not the fact that the confidences were disclosed online that’s the problem: it’s that they were disclosed!)

Similarly, as I blogged here, comments that would’ve been inappropriate in a telegram to a client are no less inappropriate because they were made via Messenger.

Which gets me to final point: whether by smoke signal, spoken word, typed document, or electronic submission, dishonesty is unethical.

Preparing for the Montreal seminar, I asked attorney regulators in states that have moved exclusively to e-filing to share with me any cases in which lawyers were disciplined for conduct involving “e-filing.” Here are some of the responses:

“The worst ethical dilemma/violation I have experienced with e-filing involved a recently terminated associate from a Regional Workers Comp Firm. He called me to tell me that once his firm terminated him a managing partner ordered a surviving associate to ‘pull all his files and draft and e-file Motions to Withdraw stating [the terminated lawyer] is no longer with the Firm…’ The Partner then directed the associate/assistant to e-file the Motions under terminated attorney’s name and file with [the terminated lawyer’s] e-file credentials!!!! Terminated attorney received email notifications on several Motions and Orders granting the Motions before he was able to call the Clerk’s office and state that someone was filing under his name without his permission.”

Yes, believe it or not, impermissibly using another lawyer’s e-filing credentials, and forging that lawyer’s e-signature, is a problem. And it’s a problem that has little to do with “tech.”

2. “We have had a couple of instances of one lawyer allegedly e-signing opponents counsel to an unagreed to stipulation.”

Yes, believe it or not, fraudulently “signing” opposing counsel’s name is a problem. And it’s a problem that has nothing to do with “tech.”

3. “Mike, here’s one for you … a lawyer ‘e-filed’ a declaration with the expert signing electronically (“/s/”) … but the lawyer knew the expert refused to sign … our court suspended the lawyer for 90 days.”

Yes, believe it or not, fraudulently “signing” an expert’s name to a declaration that you know the expert had refused to sign herself is a problem. And it’s a problem that has nothing to do with “tech.”

Finally, I became aware of a case in which a United States Bankruptcy Court (not Vermont’s) raised concerns over a lawyer’s lack of proficiency at filing electronically. So, the court assigned the lawyer “homework.” The “homework” was to re-file 9 documents, without any mistakes, and without assistance from another lawyer.

The lawyer paid another attorney to file the documents.

As a result, the bankruptcy court suspended the lawyer from practicing before it. Again, intentionally disobeying a court order has little to do with “tech” or “e-filing.”

Will e-filing be new to some of you? Yes.

Will you have to learn things along the way? Yes.

Will some of you need help figuring out how to e-file? Yes.

Is mandatory e-filing likely to put your license at risk? No.

As I’ve indicated, it’s not e-filing itself that trips up attorneys. Rather, it’s engaging in conduct that would’ve been unethical at every moment in the entire history of a regulated practice of law.

At CLEs over the past few months, lawyers have seemed surprised to hear me suggest that the duty of competence includes advising clients to refrain from social media posts that could be detrimental to their cases.

The surprise surprises me.

Indeed, I’ve often followed up by asking whether anyone has had a client’s social media post used by the other side. The raised hands and nodding heads tell me that it happens.

A lot.

So if we know that it’s happening a lot, shouldn’t we advise our clients not to do it?

“ ‘Likely you have a whole team of people doing damage control,’ says Ann Murphy, a professor at the Gonzaga University School of Law who published ‘Spin Control and the High-Profile Client’ in the Syracuse Law Review. ‘The attorney needs to be very, very careful to keep the client’s legal advice separate.’

‘Attorneys, as part of their ethical duties, must now counsel their clients on the use of social media,’ Murphy says. ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery,” she adds. ‘Personally, I think the best advice is tell the client that any posts about his or her case must be viewed in advance by the attorney.'”

I get it. Both the ABA Journal and Professor Murphy are focusing on lawyers who represent celebrities. Still, look again at one of Professor Murphy’s statements:

” ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery. ‘ ”

That could be any client, celebrity or not.

The ABA Journal poses a “question of the week.” Each new question is followed by the “featured to response” to the prior week’s question.

“In some ways, I take a more laissez-faire approach than many attorneys: Yes, I would love it if my clients would avoid social media, but at the end of the day, they’re going to do what they want to do. If they were great at heeding sensible advice, they probably wouldn’t have ended up in my office in the first place. I ask them to think before they post. I ask them to review their privacy settings. I ask that they avoid posting things directly related to the case at hand. And then, I just cross my fingers that the guy on trial for trying to strangle his girlfriend doesn’t post a meme about strangling one’s girlfriend.” (emphasis added)

The advice in bold? Seems pretty simple.

Not only that, when we know that the other side is looking, it’s advice that competent lawyers provide.

In 2015, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct issued Formal Opinion 2015-193. The opinion responds to the question “[w]hat are an attorney’s ethical duties in the handling of discovery of electronically stored information?” Here’s the first sentence of the digest:

“Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (‘ESI’).”

Four years later, I sense that the issue continues to worry some lawyers. It should. Our world is replete with ESI. As such, and to the extent that the outcome of client matters turns on “information,” ESI can be incredibly important to clients and their matters. Especially litigation matters.

To borrow a phrase from Larry David and Teri Hatcher, my blog posts are real and they’re spectacular! Apparently not all law blogs can truthfully say the former.

Last month, the ABA Journal posted Ghostwriting for law blogs? Ethics are murky. It’s a topic that’s new to me, one not raised in any of the ethics inquiries or formal disciplinary complaints that I’ve responded to and reviewed over the years. The ABA Journal post includes insight from some of the more well-known voices on both professional responsibility and tech ethics.

But let’s back up for a moment. You might be asking your self: “self, what is Mike even talking about?” Good question.

“What are We Talking About?

The ghost-blogging I’m talking about is when an attorney pays someone else (a non-attorney) to write articles published under the attorney’s name on the attorney or law firm’s website. As a result, the world thinks the attorney wrote it when the attorney had little to no part in its creation.”

Again, not an issue I’ve encountered. But, an issue that raises ethics concerns.

Many law blogs are part of a lawyer’s website. Websites communicate information about the services that the lawyer provides. Per V.R.Pr.C. 7.1,

“A lawyer shall not make a false or misleading communication about the lawyer or the lawyer’s services. A communication is false or misleading if it contains a material misrepresentation of fact or law, or omits a fact necessary to make the statement as a whole not materially misleading.”

The final sentence of Comment [1] is “whatever means are used to make known a lawyer’s services, statements about them must be truthful.”

So, let’s say that a firm focuses on Practice Area. And let’s say that the firm’s website includes a blog dedicated to Practice Area. Does the firm violate the rules by paying a content developer to ghostwrite the posts and then posting them under the “byline” of one of the firm’s lawyers?

My gut reaction was “is it really THAT misleading?” But then I paused. Because whenever we start asking whether something “is really THAT misleading,” we’ve established that it is, in fact, misleading.

In that it never arises, I don’t want to belabor the issue. Suffice to say, if your website or blog includes posts that you paid someone else to ghostwrite, check out the articles referenced above.

Finally, I proof read by reading aloud. Reading this blog about law blogs aloud reminded me of two things.

The post highlighted the Florida Supreme Court’s conclusion”that an allegation that a trial judge is a Facebook ‘friend’ with an attorney appearing before the judge, standing alone, does not constitute a legally sufficient basis for disqualification.” I blogged that I agreed, but concluded with:

“Finally, remember: just like real-life relationships, a Facebook friendship or other social media connection might create an appearance that provides a basis to inquire further. So maybe it’s best to avoid such connections.”

At the time, I didn’t think it necessary to add “for instance, a judge shouldn’t accept a FB friend request from a litigant a week after a contested hearing, but before the judge has issued a ruling.” Seems obvious, right? Apparently not to all.

Yesterday, Kevin Lumpkin tipped me off to this opinion from an appellate court in Wisconsin. Besides being timely – the opinion only issued yesterday – Kevin is also a regular member of the #fiveforfriday Honor Roll in legal ethics.

Kevin – thanks for the tip!

Here’s what happened.

In 2011, Angela and Timothy stipulated to an order granting them joint legal custody of their child. In 2016, Angela moved to modify the order. A hearing on the motion took place in June 2017. Among other things, Angela argued that Timothy had physically abused her. The judge allowed the parties 10 days to file post-hearing memoranda and took the matter under advisement.

The critical section of the timeline:

June 16: Angela and Timothy each filed post-hearing memos.

June 19: the judge accepted a Facebook friend request from Angela.

June 19-July 14: Angela “liked” 18 of the judge’s Facebook posts and commented on two of them. She had also liked or shared multiple third-party posts related to domestic violence.

July 14: the judge issued his ruling.

The judge granted Angela’s motion. He concluded that had established that Timothy’s pattern of domestic abuse was a substantial change in circumstances that warranted a modification of the order.

Angela’s Facebook friendship with the judge eventually came to light. Timothy appealed, arguing that, at the very least, the e-relationship created an “appearance of partiality.”

The appellate court agreed that it had. Indeed, given the facts peculiar to the case, the court saw no need to address when, exactly, a social media relationship requires disqualification. As they say, it was a no-brainer. The court reversed and remanded the judge’s decision, and directed that a different judge consider Angela’s original motion.

I remain of the opinion that a social relationship, standing alone and whether electronic or “real life,” is not a sufficient basis to disqualify a lawyer from appearing before a judge. I also remain of the opinion that such relationships merit further inquiry before proceeding.

But the Wisconsin case did not involve a pre-existing relationship. Angela actively sought the judge’s electronic friendship while her motion remained pending! As the Wisconsin appellate court noted:

“First, the time when [the judge] and [Angela] became Facebook ‘friends’ would cause a reasonable person to question the judge’s partiality. Although [the judge] apparently had thousands of Facebook ‘friends,’ [Angela] was not simply one of the many people who ‘friended’ him prior to this litigation. Rather, [Angela] was a current litigant who reached out to [the judge] and requested to become his Facebook ‘friend’ after testifying at a contested hearing, at which [the judge] was the sole decision-maker. [The judge] then took the affirmative step to accept this ‘friend’ request before issuing his decision in this case.

Take social media out of it. The result – an appearance of partiality – is no different than if the judge had agreed to buy a ticket to a calcutta to raise money for Angela’s kid’s school trip. Or accepted an invitation to join her gym.

In my view, Rules 1.1 and 1.6 impose a duty to act competently to prevent the unauthorized access to or disclosure of information relating to the representation of a client. I’ve blogged on this issue many times:

Next week, I’m presenting two seminars at the YLD Mid-Winter Thaw in Montreal. In the first, I’m on a panel with Judge Hayes and the Judiciary’s Andy Stone. Judge Hayes and Andy will introduce lawyers to the Judiciary’s new case management system. My job will be to chime in on ethics issues that might arise with electronic filing. My thoughts will focus on tech competence.

Imagine this scenario: whether in a filing or a communication to opposing counsel, a lawyer includes a PDF. Prior to transmission, the lawyer redacted the PDF to keep certain information confidential. Alas, the lawyer did not properly redact the PDF. By highlighting the redacted the portions and pasting them into a new document, opposing counsel, or anyone else with access to the PDF, can discover what the lawyer intended to obscure. The filing is here.

Did the lawyer take reasonable precautions to protect the information? Was it a one-time mistake that doesn’t rise to the level of an ethics violation? What if it was information that the court had ordered remain confidential and now is public?

Earlier this week, lawyers for Paul Manafort, President Trump’s former campaign chair, filed a response to special counsel Robert Mueller’s allegation that Manafort lied to Mueller’s investigators. Due to what the ABA Journal described as a “technical oversight,” the filing was not properly redacted. As such, the media was able to discover that Manafort is accused of sharing polling data with a Russian business person. The story has been covered by the ABA Journal, BuzzFeed, Fox News, and the Washington Post.

(Update at 1:16 PM on January 10: Above The Law’s Joe Patrice has a great recap here.)

Go back to the scenario I posited above: what if that’s you in a Vermont case? What if you meant to redact a client’s proprietary information, or a witness’s mental health records, or a confidential informant’s identity? What if you didn’t do it right?

Professor Alberto Bernabe often appears on this blog’s #fiveforfriday Honor Roll. He also has his own blog and, last week, blogged on an advisory from the DC Bar. The opinion addresses the ethics issues that arise when a lawyer’s client crowdfunds legal fees.

The opinion is here. Professor Bernabe’s blog post is here. He wrote more extensively on the topic in this article that pre-dates the DC advisory opinion.

I’ve also blogged on the topic. I did so here in response to an advisory opinion from the Philadelphia Bar Association. I wrote:

“That’s why the Philly opinion is great. It doesn’t treat ‘crowdfunding platforms’ as new creatures that require new rules. Rather, it reminds lawyers that the rules that apply when using a crowdfunding platform are the same rules that apply to any other representation.”

As Professor Bernabe notes, the DC Bar opinion is consistent with the Philadelphia opinion and others on crowdfunding.

I like the following statement from the DC Bar:

“It is not unusual for clients to rely on money collected from family or friends to pay for legal services.”

Indeed, many Vermont lawyers accept payment from someone other than the client. The most common situation? A parent pays for a child’s lawyer in a criminal or family case.

When that happens, it’s critical for the lawyer to remember Rule 1.8(f):

“A lawyer shall not accept compensation for representing a client from one other than the client unless (1) the client gives informed consent; (2) there is no interference with the lawyer’s independence of professional judgment or with the client-lawyer relationship; and (3) information relating to the representation of a client is protected as required by Rule 1.6.”

In other words, even if Parents are paying Lawyer to represent Child, they don’t get to direct the representation and, absent Child’s consent, Lawyer cannot disclose information relating to the representation to them.

Somewhat related, the DC Bar included a great tip in Ethics Opinion 375:

“A lawyer should consider counseling his or her client regarding disclosures to third parties. Crowdfunding typically entails some level of disclosure to third parties about the predicate need for counsel. Because of their financial support, crowdfunding contributors may be interested in the status of or information about the client’s matter. Due to the risk of waiver of the attorney-client privilege, or simply for strategic reasons, a lawyer who knows that a client is crowdfunding should provide the appropriate level of guidance to the client regarding disclosures to third parties, whether such disclosures occur on a social media platform or privately in discussions with friends and family.”

In sum, nothing about using a social media platform to crowdfund legal fees is inherently unethical. Oh, and as mentioned in both the Philadelphia and D.C. advisory opinions: crowdfunding helps provide access to legal services to those who otherwise might not be able to afford a lawyer.

I’ve blogged often on a lawyer’s duty to act competently to safeguard client data. Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information. Some of my posts:

Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information. This likely includes adopting an “incident response plan” that will kick in once a breach occurs.

The duty includes an obligation “to monitor the security of electronically stored client property and information.” In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.

A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.

If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.

If a breach occurs, a lawyer must assess its scope. This includes determining what information, if any, was lost or accessed.

A lawyer must notify current clients if the breach:

involves material, confidential client information; or,

impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.

Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law. Compliance with professional obligations is not necessarily compliance with other law, and vice versa.

As usual, I like to analogize to non-tech issues. For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them. Locked file cabinets. Locked rooms. Secure office space.

If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken. Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.

Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.